>>But the other direction does not work (HOST to VM). >>Maybe no big problem unless the user assigns IP addresses to multiple bridges.
I'll do test today. Because I known openstack can use dhcpd from host, with different bridges + ip, and they have dhcp inbound rules for the tap interfaces. I'll try to make a sample of rules for internet->host host->internet host->tap tap->host tap->tap ----- Mail original ----- De: "Dietmar Maurer" <diet...@proxmox.com> À: "Alexandre DERUMIER" <aderum...@odiso.com> Cc: "pve-devel" <pve-devel@pve.proxmox.com> Envoyé: Jeudi 23 Janvier 2014 07:11:48 Objet: RE: [pve-devel] RFC : iptables implementation > They also add an -input rules for outgoing packet from tap. (I think this for > from > tap to host) > > > -A INPUT -j proxmoxfw-chain-INPUT > -A FORWARD -m physdev --physdev-out tap100i0 --physdev-is-bridged -j > proxmoxfw-chain > -A FORWARD -m physdev --physdev-in tap100i0 --physdev-is-bridged -j > proxmoxfw-chain > > >> -A proxmoxfw-chain-INPUT -m physdev --physdev-in tap110i0 --physdev-is- > bridged -j tap110i0-OUT So we can filter from VM to HOST correctly - that conforms to the docs. But the other direction does not work (HOST to VM). Maybe no big problem unless the user assigns IP addresses to multiple bridges. _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
